[jolmg]

> Note that TOTP can be handled by any app of the user's choosing

The banks are probably using the same standard behind the scenes, but they don't allow alternate TOTP apps. There's no point where they give you a key to set it up in an alternate app.

I suppose part of the point is a lack of trust in users' ability to handle their own security, and the possibility that they may provide such a key to a compromised TOTP app.

> hardware tokens

It'd be excellent if banks moved back to purpose-specific hardware like that. Even better if it were some standard with multiple providers, like FIDO2.

[fc417fc802]

Yes FIDO2 would be ideal. The stuff about TOTP was a digression regarding the relative security levels between the two. The extra hardware doesn't provide any practical benefit (at least IMO) for the typical person running a FOSS authenticator app on a mobile device with an up-to-date OS. Obviously if you're something like a high volume day trader then it might be a different story but the venerable $5 wrench attack still applies so even then it seems pretty questionable to me.

[jolmg]

> The extra hardware doesn't provide any practical benefit (at least IMO) for the typical person running a FOSS authenticator app on a mobile device with an up-to-date OS.

For the user (and in the context of Pinephones), the benefit would lie in getting banks out of their phones. Banks want a device that's not under the control of the user to use as 2FA. A dedicated hardware key would be a compromise for that. They used to give them out, but I pessimistically imagine that today they might prefer to lose a customer.